Date: Tue, 14 Jan 2014 04:42:54 -0800 From: Yuri <yuri@rawbw.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk>, freebsd-pkg@freebsd.org Subject: Re: Does pkg check signatures? Message-ID: <52D530CE.4090908@rawbw.com> In-Reply-To: <52D52926.5090104@infracaninophile.co.uk> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/14/2014 04:10, Matthew Seaman wrote: > pkg is fully capable of checking cryptographic signatures if configured > to do so. Specifically you need 'signature-type' and 'fingerprints' > defined in your repo.conf > > Try using the standard /etc/pkg/FreeBSD.conf available here: > > http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=log > > and the public key in /usr/share/keys/pkg available here: > > http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?view=log I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf is like this: ---begin--- FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } ---end--- and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like this: ---begin--- # $FreeBSD$ function: "sha256" fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" ---end--- 'pkg install' reads the first file, doesn't read the second file, and succeeds downloading and installing a package. Something is wrong. Which file is this fingerprint for? Every downloaded file should have individual signature downloaded with it. Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52D530CE.4090908>